Last active
April 22, 2024 15:44
-
-
Save jm96441n/8671cc5e73bf950955c96f7cd3281694 to your computer and use it in GitHub Desktop.
termgw-secrets-removal
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: consul.hashicorp.com/v1alpha1 | |
kind: ServiceDefaults | |
metadata: | |
name: bender | |
namespace: default | |
spec: | |
protocol: http | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
app: bender | |
'my-meta': my-meta | |
name: bender | |
namespace: default | |
spec: | |
ports: | |
- port: 8080 | |
name: high | |
protocol: TCP | |
targetPort: 8080 | |
selector: | |
app: bender | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: bender | |
namespace: default | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: bender | |
name: bender | |
namespace: default | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: bender | |
template: | |
metadata: | |
labels: | |
app: bender | |
annotations: | |
'consul.hashicorp.com/connect-inject': 'true' | |
spec: | |
serviceAccountName: bender | |
containers: | |
- name: bender | |
image: nicholasjackson/fake-service:v0.26.0 | |
ports: | |
- containerPort: 8080 | |
env: | |
- name: LISTEN_ADDR | |
value: "0.0.0.0:8080" | |
- name: NAME | |
value: bender | |
- name: MESSAGE | |
value: "bender bender bender" | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: CONSUL_HTTP_TOKEN | |
value: root |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
kind: Cluster | |
apiVersion: kind.x-k8s.io/v1alpha4 | |
name: termgw | |
nodes: | |
- role: control-plane | |
image: kindest/node:v1.25.3 | |
- role: worker | |
image: kindest/node:v1.25.3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Contains values that affect multiple components of the chart. | |
global: | |
imageK8S: "consul-k8s-control-plane:local" | |
image: "hashicorp/consul:1.18" | |
logLevel: debug | |
tls: | |
enabled: true | |
acls: | |
manageSystemACLs: true | |
server: | |
enabled: true | |
# The number of server agents to run. This determines the fault tolerance of the cluster. | |
replicas: 1 | |
# Contains values that configure the Consul UI. | |
ui: | |
enabled: true | |
# Configures and installs the automatic Consul Connect sidecar injector. | |
connectInject: | |
enabled: true | |
transparentProxy: | |
defaultEnabled: true | |
defaultOverwriteProbes: true | |
dns: | |
enabled: true | |
enableRedirection: true | |
terminatingGateways: | |
enabled: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: consul.hashicorp.com/v1alpha1 | |
kind: ServiceIntentions | |
metadata: | |
name: bender | |
namespace: default | |
spec: | |
destination: | |
name: zoidberg | |
sources: | |
- name: bender | |
action: allow |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ | |
"Datacenter": "dc1", | |
"Node": "gwtime-worker2-virtual", | |
"NodeMeta": { | |
"external-node": "true", | |
"external-probe": "true" | |
}, | |
"Address": "10.96.240.216", | |
"Service": { | |
"ID": "zoidberg-external", | |
"Service": "zoidberg", | |
"Tags": [ | |
"zoidberg", | |
"v1" | |
], | |
"Meta": { | |
"external": "true" | |
}, | |
"Port": 8081 | |
}, | |
"Check": { | |
"Node": "gwtime-worker2-virtual", | |
"CheckID": "service:zoidberg-external", | |
"Name": "zoidberg", | |
"Notes": "Script based health check", | |
"Status": "passing", | |
"ServiceID": "zoidberg-external", | |
"Definition": { | |
"HTTP": "localhost:8081/health", | |
"Interval": "5s", | |
"Timeout": "1s", | |
"DeregisterCriticalServiceAfter": "30s" | |
} | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: consul.hashicorp.com/v1alpha1 | |
kind: ProxyDefaults | |
metadata: | |
name: global | |
spec: | |
config: | |
protocol: http |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
set -e | |
export CONSUL_K8S_CHARTS_LOCATION="$HOME/hashi/consul-k8s/charts/consul" | |
if [ -z "$(kind get clusters | grep "termgw")" ]; then | |
kind create cluster --config cluster.yaml | |
fi | |
kind load docker-image consul-k8s-control-plane:local -n termgw | |
kubectl create namespace consul | |
echo "helm installing" | |
helm upgrade --install consul "$CONSUL_K8S_CHARTS_LOCATION" -f ./consul_values.yaml -n consul --create-namespace --wait | |
echo "helm is done" | |
kubectl wait --timeout=180s --for=condition=Available=True deployments/consul-consul-connect-injector -n consul | |
kubectl apply -f ./proxy-defaults.yaml | |
kubectl apply -f ./bender-service.yaml | |
kubectl apply -f ./zoidberg-service.yaml | |
kubectl apply -f ./intention.yaml | |
kubectl apply -f ./termgw.yaml | |
kubectl get svc -n consul | |
kubectl port-forward service/consul-consul-ui 8501:443 -n consul & | |
export CONSUL_HTTP_ADDR="127.0.0.1:8501" | |
export CONSUL_HTTP_TOKEN=$(kubectl get --namespace consul secrets/consul-consul-bootstrap-acl-token --template={{.data.token}} | base64 -d) | |
export CONSUL_HTTP_SSL=true | |
export CONSUL_HTTP_SSL_VERIFY=false | |
# register zoidberg service | |
ip=$(kubectl get service/zoidberg-external -o jsonpath='{.spec.clusterIP}') | |
tmp=$(mktemp) | |
jq --arg a "$ip" '.Address = $a' ./payload.json >"$tmp" && mv "$tmp" ./payload.json | |
curl \ | |
-k \ | |
--request PUT \ | |
--data @payload.json \ | |
--header "X-Consul-Token: $CONSUL_HTTP_TOKEN" \ | |
https://127.0.0.1:8501/v1/catalog/register | |
# update term gw role | |
consul acl policy create -name "zoidberg-write-policy" -rules @write-policy.hcl | |
termgwRoleID=$(consul acl role list -format=json | jq --raw-output '[.[] | select(.Name | endswith("-terminating-gateway-acl-role"))] | if (. | length) == 1 then (. | first | .ID) else "Unable to determine the role ID because there are multiple roles matching this name.\n" | halt_error end') | |
consul acl role update -id "$termgwRoleID" -policy-name zoidberg-write-policy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: consul.hashicorp.com/v1alpha1 | |
kind: TerminatingGateway | |
metadata: | |
name: terminating-gateway | |
spec: | |
services: | |
- name: zoidberg |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
service "zoidberg" { | |
policy = "write" | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: consul.hashicorp.com/v1alpha1 | |
kind: ServiceDefaults | |
metadata: | |
name: zoidberg-external | |
namespace: default | |
spec: | |
protocol: http | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
labels: | |
app: zoidberg-external | |
external: "true" | |
name: zoidberg-external | |
namespace: default | |
spec: | |
ports: | |
- port: 8081 | |
name: high | |
protocol: TCP | |
targetPort: 8081 | |
selector: | |
app: zoidberg-external | |
--- | |
apiVersion: v1 | |
kind: ServiceAccount | |
metadata: | |
name: zoidberg-external | |
namespace: default | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
labels: | |
app: zoidberg-external | |
name: zoidberg-external | |
namespace: default | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: zoidberg-external | |
template: | |
metadata: | |
labels: | |
app: zoidberg-external | |
annotations: | |
'consul.hashicorp.com/connect-inject': 'false' | |
spec: | |
serviceAccountName: zoidberg-external | |
containers: | |
- name: zoidberg-external | |
image: nicholasjackson/fake-service:v0.26.0 | |
ports: | |
- containerPort: 8081 | |
env: | |
- name: LISTEN_ADDR | |
value: "0.0.0.0:8081" | |
- name: NAME | |
value: zoidberg-external | |
- name: MESSAGE | |
value: "why not zoidberg-external" | |
- name: POD_NAME | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.name | |
- name: NAMESPACE | |
valueFrom: | |
fieldRef: | |
fieldPath: metadata.namespace | |
- name: CONSUL_HTTP_TOKEN | |
value: root |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment